From: Florian Weimer <fweimer@redhat.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: libc-alpha@sourceware.org, Carlos O'Donell <carlos@redhat.com>,
Michael Hudson-Doyle <michael.hudson@canonical.com>
Subject: Re: [PATCH] elf: Check invalid hole in PT_LOAD segments [BZ #28838]
Date: Mon, 31 Jan 2022 16:39:49 +0100 [thread overview]
Message-ID: <877daf9anu.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <20220131152452.1061323-1-hjl.tools@gmail.com> (H. J. Lu's message of "Mon, 31 Jan 2022 07:24:52 -0800")
* H. J. Lu:
> commit 163f625cf9becbb82dfec63a29e566324129c0cd
> Author: H.J. Lu <hjl.tools@gmail.com>
> Date: Tue Dec 21 12:35:47 2021 -0800
>
> elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]
>
> removed the p_align check against the page size. It caused the loader
> crash in shared objects with the invalid p_align. Update _dl_map_segments
> to detect invalid holes. This fixes BZ #28838.
Commit message should reference commit ID and mention the failing
test/module name.
> ---
> elf/dl-map-segments.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h
> index 172692b120..fd24cf5d01 100644
> --- a/elf/dl-map-segments.h
> +++ b/elf/dl-map-segments.h
> @@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd,
> unallocated. Then jump into the normal segment-mapping loop to
> handle the portion of the segment past the end of the file
> mapping. */
> + if (__glibc_unlikely (loadcmds[nloadcmds - 1].mapstart <
> + c->mapend))
> + return N_("ELF load command address/offset not page-aligned");
> if (__glibc_unlikely
> (__mprotect ((caddr_t) (l->l_addr + c->mapend),
> loadcmds[nloadcmds - 1].mapstart - c->mapend,
This seems to be fairly risky because I don't think that so far, we
enforce increasing LOAD segment addresses (although required by te EHF
specification).
Given
LDFLAGS-tst-p_alignmod3.so += -Wl,-z,max-page-size=0x100,-z,common-page-size=0x100
and RELRO construction for that
.../elf/tst-p_alignmod3.so: cannot change memory protections
seems to be a valid failure string for this test. However, worst case,
there could be a different kind of failure, if the RELRO mprotect start
is page-aligned by chance, and the kernel rounds up the end address to a
page boundary. The RELRO protection then covers more than what the link
editor expected, and this can cause crashes later on. But this isn't
something we can detect easily, I think.
Thanks,
Florian
next prev parent reply other threads:[~2022-01-31 15:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 15:24 H.J. Lu
2022-01-31 15:39 ` Florian Weimer [this message]
2022-01-31 15:59 ` H.J. Lu
2022-01-31 16:07 ` H.J. Lu
2022-01-31 22:19 ` Michael Hudson-Doyle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877daf9anu.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=carlos@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=michael.hudson@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).